CAC issues notice on protecting personal information collected during effort to control epidemic | Practical Law

CAC issues notice on protecting personal information collected during effort to control epidemic | Practical Law

The Cyberspace Administration of China has issued a notice aimed at curbing the unauthorised collection, use and disclosure of personal information in the effort to control the spread of the Covid-19 novel coronavirus epidemic.

CAC issues notice on protecting personal information collected during effort to control epidemic

The Cyberspace Administration of China has issued a notice aimed at curbing the unauthorised collection, use and disclosure of personal information in the effort to control the spread of the Covid-19 novel coronavirus epidemic.
On 9 February, the CAC issued the Notice on Doing a Good Job Protecting Personal Information while Using Big Data in Supporting Joint Prevention and Control, with immediate effect.
The notice supplements the Cyber Security Law 2016 by addressing the unauthorised collection, use and disclosure of personal information in the effort to control the spread of the novel coronavirus, Covid-19.
The notice restricts the collection of personal information in response to the epidemic to those entities and individuals authorised by the National Health Commission under applicable laws (except where a data subject gives consent) and orders these institutions to adopt strict management and technical protection measures to prevent theft and leakage of the data.
Personal information collected to control the epidemic must comply with the relevant national standard, the Personal Information Security Specification (see Quick guide: Cybersecurity and data protection: China: Personal information security). Collection must be narrowly tailored to key groups (as opposed to broad geographic areas), such as diagnosed persons, those suspected of exposure and those in close contact with diagnosed or suspected individuals. The data must not be used for purposes other than controlling the epidemic, unless it is de-sensitised by removing the data subjects' name, age, home address and so on.
The notice also permits any organisation or individual who discovers the collection, use or disclosure of personal information in violation of laws and regulations to report it to the relevant office of the CAC or the local public security department.
For more related information, see our new series of Articles on the impact of the coronavirus outbreak.